[wp-trac] [WordPress Trac] #38820: REST API: Clients should not be allowed to set arbitrary comment_type's
WordPress Trac
noreply at wordpress.org
Wed Nov 16 13:10:07 UTC 2016
#38820: REST API: Clients should not be allowed to set arbitrary comment_type's
--------------------------+-----------------------
Reporter: dd32 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.7
Component: Comments | Version:
Severity: normal | Keywords: has-patch
Focuses: rest-api |
--------------------------+-----------------------
The Comments API currently allows unauthed users to create comments with
any `comment_type`, this includes `'comment'` (which internally is
sanitized to `''`), `'pingback'`, and
`'foobar'`/`'custom_internal_comment_type'`.
The comments API should only allow a user to create a standard comment,
anything other than that should be done through another specialised
endpoint, or by a plugin enabling the extra `comment_type` ability.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38820>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list